UNECE WP.29 Regulation No. 155

UNECE WP.29 Regulation No. 155, officially titled "Uniform provisions concerning the approval of vehicles with regard to cybersecurity and cybersecurity management system," came into force in January 2021 and became mandatory for new vehicle types from July 2022. This regulation requires vehicle manufacturers (OEMs) to establish and maintain a certified Cybersecurity Management System (CSMS) throughout the entire vehicle lifecycle, from design and development to production and post-production. It addresses various aspects including risk assessment, risk management, supply chain management, software update management, and incident response. R155 is a regulatory requirement, while ISO/SAE 21434 "Road vehicles — Cybersecurity engineering" provides the technical guidance for implementing these requirements.

Enterprises apply UNECE WP.29 R155 by establishing and operating a Cybersecurity Management System (CSMS). 1. Risk Assessment and Treatment: Companies must conduct comprehensive cybersecurity risk assessments for vehicles and components, identifying potential threats and vulnerabilities, and developing risk treatment plans, often guided by ISO/SAE 21434. For instance, designing encrypted communication for potential attack surfaces in in-vehicle infotainment systems. 2. Supply Chain Management: Extend cybersecurity requirements to suppliers, ensuring all links in the supply chain comply with R155. This includes demanding cybersecurity evidence from suppliers and conducting regular audits. 3. Software Updates and Incident Response: Implement secure software update mechanisms (also complying with R156) and establish cybersecurity incident response plans to rapidly detect, analyze, and respond to cyberattacks. Implementing R155 can reduce cybersecurity incidents by over 15% and increase compliance audit pass rates to over 95%, ensuring smooth type approval for new vehicle models.

Taiwan enterprises face several challenges in implementing R155: 1. Regulatory Understanding and Translation: The complexity of R155 and its multi-domain technical requirements can be challenging for Taiwanese companies to fully grasp and translate into actionable implementation plans. Solution: Seek professional consulting for regulatory interpretation, gap analysis, and customized implementation roadmaps. 2. Technical Capability and Resource Constraints: Establishing a CSMS demands significant investment in cybersecurity professionals, tools, and technology, which can be a heavy burden for SMEs. Solution: Prioritize training key internal personnel and consider partnering with third-party cybersecurity service providers to leverage their expertise and platforms, reducing initial investment costs. 3. Supply Chain Collaboration and Management: R155 mandates extending cybersecurity throughout the supply chain, but many Taiwanese suppliers may lack the necessary cybersecurity awareness and capabilities, hindering collaboration. Solution: Develop clear supplier cybersecurity requirements, provide training and guidance, and establish supplier assessment and audit mechanisms to progressively enhance the overall supply chain's cybersecurity maturity. Aim to achieve 80% R155 compliance among core suppliers within 12-18 months.

Winners Consulting specializes in UNECE WP.29 R155 for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact